CVE-2024-27080 - Btrfs Fiemap Race Condition Leads to Silent Data Loss in Linux Kernel

Published: June 2024
Author: Exclusive analysis by ChatGPT


The Linux kernel, which powers most of today’s servers and even many desktops, is at the heart of data integrity and reliability. However, even such mature software can harbor subtle data-destroying bugs. One such issue, now assigned CVE-2024-27080, has recently been discovered and patched. This post delves into a tricky race condition in the Btrfs file system that could, in specific scenarios, silently drop file data—possibly unnoticed until it’s too late.

What is CVE-2024-27080?

CVE-2024-27080 is a vulnerability in the Btrfs filesystem code in the Linux kernel. It affects how fiemap (an ioctl used by user-space tools to discover areas of files that have data vs. holes) detects pending, unwritten data ("delalloc ranges") inside files. The issue could cause data to be skipped or lost, for example, by backup or copy utilities that rely on fiemap for accurate file layout.

TL;DR:

In a nutshell, if you use tools like cp --sparse (coreutils < 9.), and your source file is being written to (but not yet fully flushed to disk) at the moment of copying, data may silently disappear in the destination!

The Bug

Because of a necessary fix to avoid rare deadlocks in certain mmap scenarios, recent kernel code stopped holding the "io tree" lock for the entire fiemap operation; instead, it only locks when needed. That unintentionally introduced a race window during which in-flight data in the source file can be written out (the delalloc range is flushed and committed) before fiemap sees and reports it.

How the Race Occurs (Simplified)

1. Start: fiemap is called (without the sync flag) on a file that has new, unwritten data (delalloc) in a region that *looks like a hole*.
2. Iteration: Fiemap walks the file’s metadata, *but* without having locked out writers for the whole range.
3. Concurrency: At this instant, writeback flushes the data, upgrading the file region from unwritten (delalloc) to "on disk," but the view fiemap uses is stale.
4. Reporting: Fiemap, missing the just-written update, reports a *hole* rather than data—misleading user space.
5. Impact: If a utility such as cp is copying only "real" data extents, it will skip copying new data in what looks like a hole. Data lost!

This bug had direct impact on various tools

- cp (before coreutils 9.): Used fiemap to copy only the "dataful" parts of sparse files to preserve holes efficiently.

Backup and deduplication tools: Same mistake could occur if they trust fiemap.

- Fuzzing, stress-testing: Tools like Syzkaller (syzbot) unearthed this via intensive automated testing scenarios.

Example Test Case Output

A failing run of the generic xfstests case 094 shows an "ERROR: couldn't find extent…" due to this bug. (Details in original kernel commit)

generic/094 2s ... - output mismatch ...
+ERROR: couldn't find extent at 7
+map is 'HHDDHPPDPHPH'
+logical: [       5..       6] phys: ...

## Exploit/Reproduction

While this bug is not exploitable for privilege escalation or code execution, it is serious because it causes silent data loss. An attacker could in theory craft workloads causing backup utilities to skip intended data.

PoC: Making cp Silently Drop Data

Suppose you have a program that writes to a sparse Btrfs file, then copies it using cp --sparse=always from a vulnerable kernel:

# Step 1: Create a large sparse file and write to a "hole"
truncate -s 128M sparse-file
dd if=/dev/zero bs=1M count=1 seek=64 of=sparse-file
# Step 2: In a separate process flush (or not) the data

# Step 3: (Race window) -- 'cp' is called *without* --reflink, on this file
cp --sparse=always sparse-file new-copy

# Step 4: Check new-copy: region at 64MB-65MB could be missing!
md5sum sparse-file new-copy  # could mismatch

If you time the copy precisely as the delalloc is being flushed, or stress the filesystem, you’d get a silent loss in new-copy which should match the original!

The Patch

The fix involved careful restructuring of how fiemap locks ranges and queries metadata. Now, fiemap re-reads the subvolume tree if delalloc state may have changed, ensuring no data is missed. See the full patch here and its detailed commit message.

Snippet from the patch

/* Before patch: may miss in-flight delalloc data */
/* After patch: make sure to always rescan after locking for delalloc */
if (found_hole_in_cloned_leaf) {
    lock_extent();
    scan_actual_io_tree();
    // now see up-to-date extents/delalloc
}

Recommended Actions

- Update your kernel to a version with this patch included (mainline after March 2024; check with your distribution).
- Backups and critical data: Reconsider use of fiemap-based utilities on Btrfs if running a vulnerable kernel version.

References

- Kernel Patch Commit
- Btrfs Mailing List Discussion
- NVD Entry for CVE-2024-27080
- Coreutils changelog
- syzkaller/Syzbot - Linux kernel fuzzing

Conclusion

This bug showcases how subtle races in file system code can have real, damaging effects for users—even without classic security impact. Don’t delay updating your kernel if you’re a Btrfs user, especially if you rely on backups, deduplication, or sparse file handling for your critical data.

Keep your data safe—stay up to date!

*Exclusive: This post is based on the original commit, kernel mailing list discussion, and crafted for clarity. For kernel and storage admins, this is a prime reminder: “Just a race” can really be a data bomb.*

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 09/18/2025 16:15:27 UTC